lapatatedouce/scripts-admin-debian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Actualiser miscellaneous/secure_ssh.sh

Browse Source
This commit is contained in:
Philippe Favre
2025-04-02 01:29:55 +02:00
parent f37d7bec80
commit f8034e007e
1 changed files with 73 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
miscellaneous/secure_ssh.sh
View File

@@ -17,14 +17,50 @@ if [[ "$EUID" -ne 0 ]]; then
fi fi
# Define important variables # Define important variables
# SSHD_CONFIG: Location of the SSH daemon configuration file
# BACKUP_FILE: Location of the backup file with timestamp
SSHD_CONFIG="/etc/ssh/sshd_config" SSHD_CONFIG="/etc/ssh/sshd_config"
BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak" BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak"
# Function to validate IP address
validate_ip() {
local ip=$1
local stat=1
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi
return $stat
}
# Create a backup of the current SSH configuration # Create a backup of the current SSH configuration
# This allows rollback if something goes wrong
cp "$SSHD_CONFIG" "$BACKUP_FILE" cp "$SSHD_CONFIG" "$BACKUP_FILE"
echo "Current SSH configuration backed up to $BACKUP_FILE"
# Configure SSH port (mandatory)
while true; do
read -p "Enter the SSH port to use (between 1024 and 65535): " new_port
if [[ "$new_port" =~ ^[0-9]+$ ]] && [ "$new_port" -ge 1024 ] && [ "$new_port" -le 65535 ]; then
port_setting="Port $new_port"
break
else
echo "Error: Please enter a valid port number between 1024 and 65535"
fi
done
# Configure IP whitelist (mandatory)
while true; do
read -p "Enter the IP address to whitelist for SSH access (e.g., 192.168.1.100): " allowed_ip
if validate_ip "$allowed_ip"; then
allow_users="AllowUsers *@${allowed_ip}"
break
else
echo "Error: Please enter a valid IP address"
fi
done
# Present authentication method options to the user # Present authentication method options to the user
echo "Choose authentication method:" echo "Choose authentication method:"
@@ -67,26 +103,7 @@ case $auth_choice in
;; ;;
esac esac
# Configure IP restriction options
read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip
if [[ "$restrict_ip" == "yes" ]]; then
read -p "Enter the IP address to allow SSH access: " allowed_ip
allow_users="AllowUsers *@${allowed_ip}"
else
allow_users="# AllowUsers configuration not set"
fi
# Configure SSH port options
read -p "Do you want to change the SSH port? (yes/no): " change_port
if [[ "$change_port" == "yes" ]]; then
read -p "Enter the new SSH port: " new_port
port_setting="Port $new_port"
else
port_setting="# Port configuration not changed"
fi
# Create new SSH configuration file with secure settings # Create new SSH configuration file with secure settings
# This configuration follows Mozilla's Modern OpenSSH server recommendations
cat <<EOL > "$SSHD_CONFIG" cat <<EOL > "$SSHD_CONFIG"
# SSH Server Configuration # SSH Server Configuration
# Generated by secure_ssh.sh script # Generated by secure_ssh.sh script
@@ -96,6 +113,12 @@ cat <<EOL > "$SSHD_CONFIG"
# Protocol version (only SSH protocol 2 is secure) # Protocol version (only SSH protocol 2 is secure)
Protocol 2 Protocol 2
# Port configuration (mandatory)
$port_setting
# IP restriction settings (mandatory)
$allow_users
# Authentication configuration # Authentication configuration
$auth_method $auth_method
@@ -124,29 +147,40 @@ MaxSessions 2
LogLevel VERBOSE LogLevel VERBOSE
ClientAliveInterval 300 ClientAliveInterval 300
ClientAliveCountMax 2 ClientAliveCountMax 2
# IP restriction settings
$allow_users
# Port configuration
$port_setting
EOL EOL
# Configure UFW firewall if installed
if command -v ufw >/dev/null 2>&1; then
echo "Configuring UFW firewall..."
ufw allow from "$allowed_ip" to any port "$new_port" proto tcp
ufw status
fi
# Restart SSH service to apply new configuration # Restart SSH service to apply new configuration
systemctl restart sshd systemctl restart sshd
# Display completion message and warnings # Display completion message and configuration summary
echo "SSH configuration has been updated and backed up to $BACKUP_FILE"
if [[ "$auth_choice" == "1" ]]; then
echo "WARNING: Make sure you have a valid SSH key configured before logging out!"
echo "Your backup file is located at: $BACKUP_FILE"
fi
# Additional information
echo " echo "
SSH Configuration Summary:
-------------------------
Port: $new_port
Whitelisted IP: $allowed_ip
Authentication Method: ${auth_choice == 1 ? 'SSH Key' : 'Password'}
Backup File: $BACKUP_FILE
Important notes: Important notes:
1. Keep your backup file ($BACKUP_FILE) safe 1. Keep your backup file safe
2. Test your new SSH configuration in a new session before logging out 2. Test your new SSH configuration in a new session before logging out
3. If you get locked out, use the backup file to restore the previous configuration 3. If you get locked out, use the backup file to restore the previous configuration
4. For key-based authentication, ensure your public key is properly configured 4. The following command will be needed to connect:
ssh -p $new_port user@server_ip
Next steps:
1. Open a new terminal
2. Try to connect using the new configuration
3. Do NOT close this session until you confirm the new configuration works
" "
if [[ "$auth_choice" == "1" ]]; then
echo "WARNING: Make sure you have a valid SSH key configured before logging out!"
fi